lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Feb 2017 18:48:27 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     Borislav Petkov <bp@...en8.de>, linux-kernel@...r.kernel.org,
        Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: kprobes vs __ex_table[]

On Sat, Feb 25, 2017 at 01:34:15AM +0900, Masami Hiramatsu wrote:
> > Ah, but that is only #PF, we also use __ex_table on other faults/traps,
> > like #GP which would need help in do_general_protection(),
> 
> #GP is also handled via kprobe_exceptions_notify().

Ah! that's where its hidden :-) Thanks!

> > It looks like it rewrites regs->ip, which would make return from fault
> > return to the wrong place, no?
> 
> Hmm, when regs->ip is reset to the original place, kprobe_fault_handler()
> returns 0 and normal #PF handler fixup pages etc. and retry from the
> original place. This might kick kprobes again and do singlestep.
> 
> So, yes, it may not enough for other faults if those will not only check
> regs->ip, but read the instruction pointed by regs->ip (as your patch).
> In that case you need to use recover_probed_instruction() instead of
> probe_kernel_address(). (BTW, recover_probed_instruction() uses memcpy()
> without checking kernel_text, it should use probe_kernel_address().)

> > One more complication with __ex_table and optimized kprobes is that we
> > need to be careful not to clobber __ex_table[].fixup. It would be very
> > bad if the optimized probe were to clobber the address we let the fixup
> > return to -- or that needs fixups too, _after_ running
> > __ex_table[].handler().
> 
> can_optimize() takes care about that case. If the probe target function
> (not only probed address) includes an exception address, it rejects
> optimizing probes.

Ah, so it does search_exception_tables(), which avoids clobbering actual
exception instructions, and most fixups live in .text.fixup and I cannot
actually find if that is excluded.

In any case, thanks for the pointers, I'll see if I can spot any actual
holes.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ